Menu

One of the things I do is cryptography and infosec training for investigative journalists who have a need to keep either their sources and communications confidential so they can more safely do their work in the public interest. Often they work in places which are heavily surveilled, like Europe, or the United States. Ed Snowden’s documents explain a thing or two about how the US intelligence apparatus goes about its day-to-day business. They sometimes also work in places in the world where rubber hose cryptanalysis is more common than in say the U.S. or Europe. Which is why crypto tools alone are not the Alpha and the Omega of (personal) security. This requires careful consideration of what to use when, and in what situation. One of the things I have recommended in the past for various cases is the OpenWhisperSystems’ app called Signal, available for Android and iOS. In this article, I want to explain my reasons why I won’t be recommending Signal in the future.

To be clear: the reason for this is not security. To the best of my knowledge, the Signal protocol is cryptographically sound, and your communications should still be secure. The reason has much more to do with the way the project is run, the focus and certain dependencies of the official (Android) Signal app, as well as the future of the Internet, and what future we would like to build and live in. This post was mostly sparked by Signal’s Giphy experiment, which shows a direction for the project that I wouldn’t have taken. There are other, bigger issues which deserve our attention.

What is Signal?

Signal is an app published by OpenWhisperSystems, a company run by Moxie Marlinspike. It has published an official Signal app for Google Android, and Apple iOS. Signal has been instrumental in providing an easy-to-use, cryptographically secure texting and calling app. It is a combination of the previously separate apps TextSecure and Redphone, which were combined into one app called Signal.

One of the main reasons why I recommended it previously to people was that it was easy to use, next to the cryptographic security. This is one good thing Signal has going for it. People could just install it and then communicate securely. Cryptographic software needs to be much more simple to use, and use securely, and Signal is doing its thing on the mobile platforms to create an easy-to-use secure messaging platform. I do appreciate them for that. I wanted to get that out of the way.

Multiple problems with Signal

There are however, multiple issues with Signal, namely:

Lack of federation

Dependency on Google Cloud Messaging

Your contact list is not private

The RedPhone server is not open-source

I’ll go into these one at a time.

Lack of federation

There is a modified version of Signal called LibreSignal, that removed the Google dependency from the Signal app, allowing Signal to be run on other (Android) devices, like CopperheadOS, or Jolla phones (with Android compatibility layer). In May this year, however, Moxie made it clear that he does not want LibreSignal to use the Signal servers, and that he does not approve of the name. The name is something that can change, that is not a problem. What is a problem, however, is the fact that he does not want LibreSignal to use the Signal servers. Which would be fine if he allowed LibreSignal to federate across using their own servers. This was tried once (Cyanogenmod, and also offered to Telegram, of all people) but subsequently abandoned, because Moxie believes it slows down changes to the app and/or protocol.

The whole problem with his position however, is that I don’t see the point of doing any of this secure messaging stuff, without having federation. The internet was built on federation. Multiple e-mail providers and servers for instance, can communicate effortlessly with one another, so I can send an e-mail to someone who has a Gmail address or a corporate address, etc. without effort and it all works. This works because of federation, because the protocols are all open standards and there are multiple implementations of the standards who can cooperate and communicate together. Another example would be the Jabber/XMPP protocol, which also has multiple clients on multiple platforms who can communicate securely with one another, despite one having a Jabber account on another server than the other.

If we don’t federate, if we don’t cooperate, what is there to stop the internet from becoming a bunch of proprietary walled gardens again? Is the internet then really nothing more than just a platform for us to use certain proprietary silo services on? Signal then, just happens to be a (partly proprietary) silo on which your messages are transmitted securely.

Dependency on Google Cloud Messaging

Currently, the official Signal client depends on Google Cloud Messaging to work correctly. The alternative that has been developed by the people of LibreSignal has removed that dependency, so people running other software, like Jolla or CopperheadOS can run Signal. Unfortunately, the policy decisions of OpenWhisperSystems and Moxie Marlinspike make it so that it became impossible to reliably run unofficial Signal clients that use the same server infrastructure, so people can communicate. Also, federation, like explained in the previous section, is expressly hindered and prohibited by OpenWhisperSystems, so it is not an option for LibreSignal to simply run their own servers and then federate within the wider Signal network, allowing people to contact each other across clients.

What is Google Cloud Messaging?

The Google Cloud Messaging service is used by Signal with empty messages in order to wake up the device before the actual messages are pushed to the device by Signal’s servers.[1] There is a way to use Signal without depending on GCM, but that uses microg, and that asks people to basically re-compile their kernel (at least I had to in my case). This is not something you can ask of non-technical users. I would like to be able to run an official Signal client (or any secure messaging client) on hardware that runs CopperheadOS for example.

Unrelated to GCM directly, but since on Android devices, Google usually has root access to the phone, there’s the issue of integrity. Google is still cooperating with the NSA and other intelligence agencies. PRISM is also still a thing. I’m pretty sure that Google could serve a specially modified update or version of Signal to specific targets for surveillance, and they would be none the wiser that they installed malware on their phones. For this reason it would also be strongly preferable to run a secure messaging client on a more secure platform. Currently when it comes to Signal this cannot be done in any official way, and it would help for the people who really need secure messaging services (instead of the people who merely use it as a replacement of say WhatsApp), if the software runs on other Android distributions, like Copperhead.[2]

Your contact list (social graph) is not private

Here is the permission list of Signal, including OpenWhisperSystems’ explanation for the need for them. As you can clearly see, Signal is allowed (if you install it), to read and modify your contacts. Signal associates phone numbers with names in a similar way that Whatsapp is doing, and this is a big reason why they feel they need to read your contact list. Also, there’s a usability thing where they display the contacts’ names and pictures in the Signal app. It hashes them before sending them to the server, but since the space of possible hashes is so small for phone numbers, this does not provide a lot of security. Moxie has stated previously (in 2014) that the problem of private contact discovery is difficult, lays out different strategies that don’t work or do not give satisfying performance, and then admits it’s still an unsolved problem. Discussion regarding this seemed to have moved from a Github issue to a mailing list, and I don’t know of any improvement on this front.[2]

This could of course all been done differently, by using usernames to connect users instead of their phone numbers (incidentally, this would also allow people who use multiple phone numbers on the same device to use Signal reliably). And last time I checked, if you use the same phone number on a different device, Signal will get deregistered on the old device.

Another issue, and a plus for using usernames, is that you may want to use Signal with people you don’t necessarily want to give your phone number to. And federation would also be easier with usernames, and servers, separated by a symbol, like the @. Just like in the case of Jabber/XMPP. I also see no usability issues here, as even very non-technical people generally get the concept of an address, or an e-mail address, and this would be very similar.

RedPhone not open source

The phone component of Signal is called RedPhone. The server component of this is unfortunately not open source (so people are prevented from running their own phone servers, and this is also probably the reason why secure encrypted phone calls don’t work in e.g. LibreSignal.)

I don’t know exactly what prevents the RedPhone server code from being released (whether it is legal issues or simple unwillingness), but I do think it is strange that there is no movement whatsoever to move to a different/alternative solution, that respects users’ rights.

Moving forward

The big question now, as also said by @shiromarieke on Twitter, is what post-Signal tool we want to use. I don’t know the answer to that question yet, but I will lay out my minimum requirements of such a piece of software here. We as a community need to come up with a viable solution and alternative to Signal that is easy to use and that does in fact respect people’s choices, both in the hardware and software that they choose to run.

In my view, there should be a tool that is fully free software (as defined by the GNU GPL), that respects users’ freedoms to freely inspect, use, modify the software and distribute modified copies of the software. Also, this tool should not have dependencies on corporate infrastructure like Google’s (basically any partner in PRISM), that allows these parties to control the correct working of the software. The fact that Signal depends on Google Cloud Messaging, and Google technology in general is something that should be avoided.

In the end, I think we need to move to an Internet where there are more federated services, not less, where information is openly shared, and services publicly run by multiple people all over the world. Otherwise, we’ll be in danger of ending up in an neo-90s Internet, with walled gardens and pay walls all over the place. You already see this trend happening in journalism.

We need to remember that we’re fighting not only against government surveillance, but also against corporate surveillance as well. We need ways to defend against this, and using corporate solutions that create a dependency on these solutions, even if the communications themselves are not readable to them, there’s still the issue of metadata, and of course general availability of Google’s services to Signal.

It’s really unfortunate that OpenWhisperSystems isn’t more friendly to initiatives like LibreSignal, since these people did a lot of work which is now basically going to be thrown away because the person running Signal is not friendly to these initiatives.

We need to cooperate more as a community instead of creating these little islands, otherwise we are not going to succeed in defeating or even meaningfully defending against Big Brother. Remember, our enemy knows how to divide and conquer. Divide et impere. It’s been a basic government subjugation tactic since the Roman times. We should not allow our own petty egos and quest for eternal hacker fame to get in the way of our actual goal: dismantling the surveillance states globally.

Notes:[1]: An earlier version of this article stated incorrectly that GCM was used to transport Signal messages. While correct for a previous version of TextSecure, this is in fact not correct anymore for Signal. I’ve updated it, in response to this HN comment: https://news.ycombinator.com/item?id=12882815.[2]: Clarified my position re Google and GCM and the contact list / private contact discovery issue a bit.

This post is a quick, temporary break from my usual privacy/civil rights posts, to a post of a slightly more technical nature.

As WordPress is the most popular blogging platform on the internet, updates become crucial. However, the way WordPress runs at certain clients of mine means it’s not always just a question of clicking a button (or it happening automatically, as in recent versions of WordPress).

For security reasons, at certain websites in need of high security, but whose editors still want the ease of use of something familiar like WordPress, I like to keep WordPress off the publicly-accessible internet, and then have a static HTML copy of the website publicly accessible. This has advantages of security (the publicly-accessible web server only has to be able to serve static HTML and images), and also causes much less load on the server, allowing the server to respond to a much higher number of requests. This however, causes issues with the automatic update feature that’s built in to WordPress.

I recently wrote a script that can automatically update WordPress to the latest version available from the WordPress website, which is useful in cases where the automatic update feature in WordPress does not work, for instance when the admin interface is not routable on the public internet, such that it never gets notified if there’s a new version and can’t reach the public internet to fetch the updates.

In that case you’re forced to do the updates manually. The script I wrote was designed to help with that. I wrote it to expedite the task of updating WordPress, instead of having to manually remove certain directories and files, downloading the tarball from the official WordPress website, checking the SHA-1 checksum and then carefully copying the files/directories back over.

Demo

This is a quick demo of how it works:

The script is meant to be run whilst in the directory containing the WordPress files. Put the script somewhere in your PATH, go to the directory containing your WordPress files, then run it like so:

$ update-wordpress.sh

The script will automatically detect what version is the latest available (from the website), download that if necessary, or else use the copy of WordPress stored in the cache, and it will only update the website if the versions don’t match up.

Git

The script will also automatically detect if it’s running in a git repository. If this is the case, it will use the git rm command to properly record the removal of directories, and then do a git add . at the end.

To save even more time, the script can also auto-commit and push the changes back to a git repository if necessary. For this, the variables GIT_AUTOCOMMIT and GIT_PUSH exist. The default value is true, meaning that the script will automatically make a commit with the message:

Updated WordPress to version <version>

and then push the changes to the git repository. Of course, provided that you’ve correctly configured git to do a simple git push.

Caching

It will cache the latest version of WordPress in a directory in your home directory, called $HOME/.update_wordpress_cache, where it will put the latest.tgz file from the WordPress website, the SHA-1 checksum, and also the actual files unpacked in a wordpress directory. This is to prevent the script from re-downloading the files when you have multiple sites you want to update.

On 3 April 2016, the first few of the so-called Panama Papers were published by mainstream media across the West. The Panama Papers are a collection of allegedly 2.6 TB of data and documents by and related to Mossack Fonseca, a Panamanian law firm providing offshore trust services.

These documents allegedly provide proof of the rich and powerful in the world storing their massive stashes of money in tax havens across the world like the British Virgin Islands (BVI), Guernsey, The Netherlands, etc. This practice is called tax avoidance, and is usually not illegal. It is highly questionable from a moral standpoint though. Billions of euros or dollars flow through thousands of shell companies that provide no benefit to society in terms of services, goods and employment. And the country of residence of the billionaire in question doesn’t receive tax income which could be put to better use to improve society rather than sit on an anonymous bank account on the Cayman Islands.

Media Bias

One of the first things that struck me as odd, but that is sadly no longer surprising, was the incredibly one-sided reporting done on this by the media. On 3 April, lots of articlesappearedaboutthe Panama Papers, and they strongly implied that President Putin of Russia was mentioned in these documents. Even though Putin was not mentioned in the few actual documents released to this point, the mainstream media strongly implied (by using photographs depicting Putin, for instance), that Putin is personally involved with the arrangements mentioned in the documents by Mossack Fonseca. The BBC Panorama documentary entitled “Tax Havens of the Rich and Powerful Exposed” is also strongly biased in their editing, showing documents on-screen for only a few nanoseconds behind an unclear background. When you stop the video and zoom in you can clearly see that the documents shown are from the British Virgin Islands, while this British overseas territory is not mentioned even once in the documentary itself, while they are droning on about Putin and the Icelandic former Prime Minister Gunnlaugsson.

Why this massive media bias? Why is it necessary to remind us that leaders from countries like Russia, China, Zimbabwe, North Korea, Syria etc. are corrupt? We know that. That is not news. What would be news is to reveal hard evidence that Western billionaires like George Soros are just as corrupt, and worse, that they influence politics and world affairs using their massive stashes of money.

The reason why the bias is so strong is partly due to the methodology used, and partly because of other interests. The Süddeutsche Zeitung gives a detailed explanation on how these documents were searched for interesting titbits. One of the things they did is focus on countries that may be violating UN sanctions, which might explain in part why the bias is on non-Western countries as it is. Also note that these documents only come from one law firm in Panama. If there would be another leak from, say, a law firm on the BVI, then we might find other people involved.

As Craig Murray, former UK Ambassador to Uzbekistan has written, Western journalists, the corporate media gatekeepers, are withholding the vast majority of the actual documents from the public. If we truly want to know what the impact of the Panama Papers is, without spin from the media, we should have access to the actual raw documents. Raw docs or it doesn’t exist, so to speak. If you don’t release 99% of the documents, you’re engaged in 1% journalism by definition. This is why I like the work that WikiLeaks is doing. They work very hard to publish the original source documents responsibly so that we can all learn how the world works from the original and authoritative source material. And then all journalists can read these documents on an equal standing. It’s been a pet-peeve of mine for many years that mainstream media don’t link to their sources like bloggers do. If a story is clearly based on documents like in this case the Panama Papers, just release the source documents together with your explanatory articles. Why is this such a problem?

Or are the journalists who have access to these documents afraid of possible blow-back if they report on the hand that feeds them?

Who is funding this?

Because that is the big elephant in the room. Who could be funding this propaganda extravaganza? Let’s have a look at the ICIJ’s site shall we?

George Soros at the Festival of Economics 2012, Trento. Photo by Niccolò Caranti.

The International Consortium of Investigative Journalists is based in Washington, D.C, and is a project of the Center for Public Integrity. There, on the funding page, you can read that amongst the big institutional funders are names like the Omidyar Network (Pierre Omidyar, owner of The Intercept and founder of eBay), the Open Society Foundations (George Soros), the W.K. Kellogg Foundation, the Rockefellers, The Democracy Fund (again: Omidyar), and many others.

The OCCRP (Organized Crime and Corruption Reporting Project) is also heavily involved with the Panama Papers project, and is sponsored, by (again) the Open Society Institute of George Soros, and also USAID, which is a US government agency and front organisation posing as a charity and frequently used as an instrument of regime change.

Is it strange that which such backers the very first news reports that came out were so incredibly biased? Given how much the US administration would like to see regime change in Russia, are these reports bashing the Russian President a surprise? No, sadly, I’m not surprised any more. What I find despicable, is that so many journalists who worked on this, like to think of themselves as independent and the ultimate arbiters of truth, when evidently, they are not.

Why are there not reports about the vast amount of wealth stashed away in tax havens by George Soros? Mark Zuckerberg? Warren Buffet? The journalists sacrificed a token Western leader like Gunnlaugsson from Iceland, so they can claim to be bias-free (“look, we’re also publishing on Western leaders!”), while in reality, their entire enterprise is funded by the rich and powerful in the West. So I think I can quite confidently predict that for instance George Soros’s financial arrangements in various tax havens will not be published. Mark my words.

Yesterday, the European Parliament passed a draft report containing the EP’s recommendations to the Commission on the negotiations for TTIP. TTIP is the “free trade” treaty that is being negotiated between the US and the EU. It is the latest chapter in a long range of abbreviations across the world, from ACTA, to CETA, to TPP, TISA, etc. The end goal for TTIP is to create a single, massive free trade area/single market between the United States and the European Union member states. In practice, this requires that our standards be lowered to theirs and American businesses given unfettered access to the European markets (and in name vice versa, but it remains to be seen whether that will be the case in reality.)

The negotiations with the United States are being conducted in secret. There are various MEPs who are regularly informed about the progress of the negotiations, but they are prevented from saying anything substantial about the actual contents of the documents currently on the table. The peoples of Europe have no influence and no say in what makes it in the final treaty. Most of the Members of the European Parliament also have no idea about the exact contents of the negotiating document, and what is currently on the table. The European Parliament will vote on TTIP when the treaty is completed, but does not have the power to make amendments to the final text. This is a massive shame, since this treaty will influence us in major ways. In practice, it will open up our markets to American big business, while the effect for European middle and small enterprises are almost non-existent (as the vast majority of SMEs will not make the step to export to the United States).

Negligible Economic Advantages

The long-term economic advantages of TTIP to Europe is in fact completely negligible. Karel De Gucht, the previous EU Commissioner for Trade until 2014, claimed that TTIP will create lots of jobs in Europe, when in fact, we’re looking at an increase of GDP of at most 0.4 to 0.5 percent over a time period of decades. Claiming that this treaty will be about job creation and creating opportunities for workers on both continents is just completely dishonest, as also claimed in a blog on the U.S. Center for Economic and Policy Research (CEPR) website. According to various studies, the economic advantages are quite negligible. Incidentally, when De Gucht was confronted by some questions asked by the journalist regarding the alleged economic advantages of TTIP, he couldn’t provide an answer. And these are the sorts of people in charge of these things?

ISDS With A Different Name

One important aspect that hasn’t been scrapped in the new resolution is the notorious ISDS provision (Investor-State Dispute Settlement). ISDS is a arbitration provision, that basically says that if a corporation thinks that a certain law passed by a nation-state’s parliament is hurting the profits of the corporation, they will have a way to sue the state for damages, in practice amounting to hundreds of millions of euro’s.

The most laughable thing about this arbitration commission is, that in the initial proposals, it consists of 3 lawyers, one of which will be from the company and another one from the nation state; the third one to be decided by the 2 parties. No legitimate judge would be asked to take this decision, and this provision has the potential to hurt democracy in a massive way. That this was even up for serious discussion is simply insane. When we as people can no longer decide for ourselves what we do and do not allow onto the market, because we should always take into account whether or not that will hurt someone’s business model, what independence do we have left? What will be left of the people’s sovereignty, granted to them by international law?

The ironic thing is that in the latest resolution passed by the European Parliament (P8_TA-PROV(2015)0252), the term “ISDS” has been replaced with: ‘a system for resolving disputes between investors and states’. Tell me: how is that different from “Investor-State Dispute Settlement”? This was just a different term used in the new resolution just so some fractions in the European Parliament can say: “Look people, we stopped ISDS!”, while at the same time the Commission and the negotiating team can say to the Americans that it’s still in. In effect, nothing has changed on this point. The entire concept of investors suing states for damages because legislation is a threat to their business model, and doing so in kangaroo courts, is an utter travesty to the legal system.

Another problem is that big corporations have an excessive influence on European policy-making. During the preparatory phase of TTIP, 590 meetings took place between the Commission and corporate lobbyists. 92% of these meetings were with representatives of big business. In fact, quite a few sentences in the proposals are directly written by the lobbyists, and made it in the proposals virtually unchanged. And this is not only a problem for TTIP, this happens all the time.

Consequences of Arbitrary Arbitration

An example of where this could lead to is the case of Achmea vs the Republic of Slovakia. In this case, Achmea (which is a major Dutch insurance conglomerate) sued the Slovak Republic for damages because they wanted to re-nationalise their health care system. Of course, Achmea stood to lose millions of euros in potential profits due to this policy change, so they sued, citing alleged breaches of the Treaty on encouragement and reciprocal protection of investments between the Czech and Slovak Federal Republic and the Kingdom of the Netherlands. Luckily, the arbitration committee in this case dismissed all of Achmea’s claims, and recognised the sovereignty of the Slovak Republic to make these kinds of policy decisions.

Now imagine what happens when TTIP is implemented, on a massive scale and in a vast area across many different industries? What sovereignty do we have left when we have to think about protecting the profits of huge corporations with each and every policy decision?

Investor-State Dispute Settlement is wholly unnecessary

Protecting investments by means of arbitration committees only makes sense if your trading partner is a country without a well-developed and functioning legal system. It does not make sense whatsoever in the context of a free trade deal between the United States and the EU, since European countries do have functioning legal systems. It isn’t a union of banana republics. At least not yet. So any investment arbitration mechanism in the TTIP treaty that circumvents the nation states’ legal system is wholly unnecessary. The only reason it will make it into the treaty is to give big business a lot more power to overrule the decisions made by our elected representatives. One step closer to a United States of Europe, which in the vision of eurocrats the likes of Guy Verhofstadt is only complete when it stretches from California to the Caspian Sea.

Benito Mussolini, the fascist Italian dictator during WWII, once defined fascism as: the merger of the corporate with the state. When TTIP is passed, the corporate is the state! We will open our European markets up to American multinationals who, as we know, have little concern for labour standards, food safety regulations, and more. It will amount to us lowering our standards to theirs in the interest of “free trade”. If we don’t lower our standards, that would imply that the United States would raise theirs, which is extremely unlikely to happen in the current political climate. It will introduce a dispute settlement system that is actively hostile to the very principle of democracy. And our parliaments will have no say in the matter. Despite what the average eurocrat says, these are very real dangers. But there are even more reasons not to want this trade agreement with the United States.

Two years after Edward Snowden’s revelations were made public, we have seen a move towards more secrecy, more surveillance, and more corporatism, and a lot less transparency and accountability. Transparency and accountability is also a major issue within the EU institutions and in particular the TTIP negotiations, but I’ll get to that it a bit.

Over the last 2 years we have seen moves by various European intelligence agencies to imitate the NSA and GCHQ in their capabilities. Just recently, the Dutch government released for public consulting a proposal aimed to give the AIVD, more power, authorising them to start tapping cable-bound communications.

Also, the FBI by means of James Comey and others in the US and UK (Cameron, May) are desperately trying to ban encryption, against all expert advice. Banning encryption makes us less secure, preventing, for example, banks and corporations from protecting our personal data against interception by criminals. Without encryption we cannot securely shop online, we cannot message online, businesses cannot keep their trade secrets confidential, etc. Encryption is essential to the internet, and essential to innovation.

The important point is this: Do we really want to increase cooperation in the areas of trade and industry, across all sectors, with the country that has been spying on us and disregards its own Constitution and rule of law? Do we really think that is in the interest of European citizens?

I wonder what would happen in the following hypothetical situation. Let’s say for the sake of argument that it is revealed that the Bundesnachrichtendienst (Germany’s foreign intelligence agency) has been spying on the last 3 US Presidents. Would the US then take the initiative and start negotiating a trade deal and much closer cooperation with the Europeans? Or would these actions be strongly condemned and action taken to prevent these actions in the future? I think we know what the response of the US in this hypothetical situation would likely be. However, in the real world, the US has been spying on the Europeans for decades on a massive scale, and we still don’t reconsider who our allies are?

We still mindlessly follow the US lead when it comes to demonising Russia, we don’t consider what actions are in the best interest of European businesses, we continue to give the US great advantages as they continue to stir up trouble, start revolutions and regime changes in Ukraine, hurting stability in the entire region, with MEPs Verhofstadt & Van Baalen joining in, calling for regime change on Maidan square.

The fact that US foreign policy is not a force of good in the world would already be grounds to scrap this entire treaty altogether.

Europe’s democratic deficit

An Ancient Greek ὄστρακον (ostrakon), mentioning Megacles, son of Hippocrates (inscription: ΜΕΓΑΚΛΕΣ ΗΙΠΠΟΚΡΑΤΟΣ), 487 BC. In the ancient Athenian democracy, ὄστρακον were pieces of discarded pottery that people would scratch a name into to cast their vote of who to banish from the city.

Some people may accuse me of being Eurosceptic. That is not the case: I like the concept of European cooperation and integration, I have many clients across Europe, I like the fact that I am able to travel, live, and work anywhere in the European Union. That is not the problem, and in fact, one of the greatest achievements of close European cooperation.

What is the problem, however, is the clear lack of democracy and transparency at the European level at various European institutions. European elections are held to elect Members for a small piece of the pie that is the European Parliament (depending on the country you’re from the piece may be bigger or smaller), but other than that, the European institutions are completely closed from all meaningful interactions with European citizens. The Commission is not elected, and all other European institutions that make or influence European policy also have unelected officials who decide on things. We have 4 different Presidents responsible for God knows what, and all unelected. This is the major problem with the Union, and the thing in my opinion needs to be fixed before we start thinking about further expansion, or the transfer of even more powers to Brussels.

Europe should embrace democracy, not eschew it, like we could see yet again prior to the latest Greek referendum, when various European leaders made threats to the Greek people about the consequences should they not agree to more austerity. Even the President of the European Parliament, Mr. Martin Schultz has made such threats, which is wholly unbecoming of a President of a poor excuse of a Parliament, who should be above all parties, and adhere to independence from such political opinions.

Democracy is a great concept, invented in the 5th century BCE by the ancient Athenians in Greece. We should do more of it!

The Sad Truth

The sad truth regarding TTIP is that — based on the resolution just passed by the EP — I can already make the prediction regarding the final verdict of the European Parliament when the TTIP final document is finally presented to them: they will pass it, and it’ll probably include some sort of ISDS provision. There will probably be time pressure involved, requiring MEPs to read and interpret thousands of pages of legalese in a very short time-frame, which ensures that no MEP will actually read the document they vote on.

I recently gave an interview to RT’s Going Underground programme, regarding Facebook tracking its users and non-users throughout the internet, based on the Share and Like buttons found on millions of websites, and what people can do to stay safe.

About two weeks ago KU Leuven University and Vrije Universiteit Brussel in Belgium published a report commissioned by the Belgian Privacy Commission about the tracking behaviour of Facebook on the internet, more specifically how they track their users (and non-users!) through the ‘Like’ buttons and Share buttons that are found on millions of websites across the internet.

Findings

The results of the investigation are depressing. It was found that Facebook disregards European and Belgian privacy law in various ways. In fact, 10 legal issues have been found by the commission. Facebook frequently dismisses its own severe privacy violations as “bugs” that are still on the list of being fixed (ignoring the fact that these “bugs” are a major part of Facebook’s business model). This allows them to let various privacy commissioners think that privacy violations are the result of unintended functionality, while in fact it is, the entire business model of Facebook is based on profiling people.

Which law applies?

Facebook also does not recognise the fact that in this case Belgian law applies, and claims that because they have an office in Ireland, that they are only bound by Irish privacy law. This is simply not the case. In fact, the general rule seems to be that if you focus your site on a specific market, (let’s say for example Germany), as evidenced by having a German translation of your site, your site being accessible through a .de top-level domain, and various other indicators as well (one option could be the type of payment options provided, if your site offers ways to pay for products or services, or maybe marketing materials), then you are bound by German law as well. This is done to protect German customers, in this example case.

The same principle applies to Facebook. They are active world-wide, and so should be prepared to make adjustments to their services such that they comply with the various laws and regulations of all these countries. This is a difficult task, as laws are often incompatible, but it’s necessary to safeguard consumers’ rights. In the case of Facebook, if they would build their Like and Share buttons in such way that they don’t phone home on page load and don’t place cookies without the user’s consent, they would have a lot less legal problems. The easiest way to comply if you run such an international site, is take the strictest legislation, and implement it such that it complies with that.

In fact, the real reason why Facebook is in Ireland is mostly due to tax reasons. This allows them to evade taxes, by means of the Double Irish and Dutch Sandwich financial constructions.

Informed consent

Another problem is that users are not able to prevent Facebook from using the information they post on the social network site for purposes other than the pure social network site functionality. The information people post, and other information that Facebook aggregates and collects from other sources, are used by Facebook for different purposes without the express and knowing consent of the people concerned.

The problem with the ‘Like’ button

Special attention was given to the ‘Like’ and ‘Share’ buttons found on many sites across the internet. It was found that these social sharing plugins, as Facebook calls them, place a uniquely identifying cookie on users’ computers, which allows Facebook to then correlate a large part of their browsing history. Another finding is that Facebook places this uniquely identifying datr cookie on the European Interactive Digital Advertising Alliance opt-out site, where Facebook is listed as one of the participants. It also places an oo cookie (which presumably stands for “opt-out“) once you opt out of the advertising tracking. Of course, when you remove this cookie from your browser, Facebook is free to track you again. Also note that it does not place these cookies on the US or Canadian opt-out sites.

As I’ve written earlier in July 2013, the problem with the ‘Like’ button is that it phones home to Facebook without the user having to interact with the button itself. The very act of it loading on the page means that Facebook gets various information from users’ browsers, such as the current page visited, a unique browser identifying cookie called the datr cookie, and this information allows them to correlate all the pages you visit with your profile that they keep on you. As the Belgian investigators confirmed, this happens even when you don’t have an account with Facebook, when it is deactivated or when you are not logged into Facebook. As you surf the internet, a large part of your browsing history gets shared with Facebook, due to the fact that these buttons are found everywhere, on millions of websites across the world.

The Filter Bubble

A major problem of personalisation technology, like used by Facebook, but also Google, and others, is that it limits the information users are exposed to. The algorithm learns what you like, and then subsequently only serves you information that you’re bound to like. The problem with that is, that there’s a lot of information that isn’t likeable. Information that isn’t nice, but still important to know. And by heavily filtering the input stream, these companies influence our way of how we think about the world, what information we’re exposed to, etc. Eli Pariser talks about this effect in his book The Filter Bubble: What the Internet is Hiding From You, where he did a Google search for ‘Egypt’ during the Egyptian revolution, and got information about the revolution, news articles, etc. while his friend only got information about holidays to Egypt, tour operators, flights, hotels, etc. This is a vastly different result for the exact same search term. This is due to the heavy personalisation going on at Google, where algorithms refine what results you’re most likely to be interested in, by analysing your previously-entered search terms.

The same happens at Facebook, where they control what you see in your news feed on the Facebook site, based on what you like. Problem is that by doing that a few times, soon you’re only going to see information that you like, and no information that’s important, but not likeable. This massively erodes the eventual value that Facebook is going to have, since eventually, all Facebook will be is an endless stream of information, Facebook posts, images, videos that you like and agree with. It becomes an automatic positive feedback machine. Press a button, and you’ll get a cookie.

What value does Facebook then have as a social network, when you never come in touch with radical ideas, or ideas that you initially do not agree with, but that may alter your thinking when you come in touch with them? By never coming in touch with extraordinary ideas, we never improve. And what a poor world that would be!

Good news on privacy protection for once: after an 11 March 2015 ruling of the Court of The Hague in the Netherlands in the case of the Privacy First Foundation c.s. versus The Netherlands, the court decided to strike down the Dutch data retention law. The law required telecommunication providers and ISPs to store communication and location data from everyone in the Netherlands for a year. The court based its decision on the reasoning that a major privacy infringement of this magnitude needs proper safeguards. The safeguards that were put in place were deemed insufficient by the court. There is too much room for abuse of power in the current law, which was the reason for the The Hague Court to strike it down, effective immediately.

An English article by the Dutch Bits of Freedom foundation explains it in more detail here. An unofficial translation of the court’s decision in English can be found here.

The question remains what will happen now. The law has been struck down, so it seems logical to scrap it entirely. Whether that will happen, or whether the decision stands should the Ministry of Security and Justice appeal the decision, time will tell.

I recently did an interview with RT‘s Going Underground programme, presented by Afshin Rattansi. We talked about the recently-discovered highly sophisticated malware Regin, and whether GCHQ or some other nation state could be behind it. The entire episode can be watched here. For more background information about Regin, you can read my article about it.

Last week, on the 7th of January 2015, the satirical magazine Charlie Hebdo‘s office in Paris was attacked by Islamic fundamentalists. Charlie Hebdo is a French satirical magazine featuring jokes, cartoons, reports etcetera. that is stridently anti-conformist in nature. They make fun of politics, Judaism, Christianity and Islam and all other institutions. Like all of us they have every right to freedom of expression. But alas, fundamentalists did not agree, and opted to violently attack their office in Paris with assault rifles and rocket propelled grenades, leaving 12 people killed and 11 wounded. This was a terrible attack, and my heart goes out to the families and their colleagues and friends who have lost their loved ones.

After the attack, there was (rightly so) worldwide condemnation and the sentence “Je suis Charlie,” French for “I am Charlie,” became the slogan of millions. What I am afraid of however, is not the terrorists who perpetrate these attacks. What frightens me more, is the almost automatic response by politicians who immediately see reasons to implement ever more oppressive legislation, building the surveillance state. After all, the goal of terrorism is to change society by violent means. If we allow them to, the terrorists have already won. Their objective is completed by our own fear.

Hypocrites At The March

When I was watching footage of the march in Paris for freedom of expression I saw that a lot of government leaders were present, most of whom severely obstructed freedom of expression and freedom of the press in their home countries. Now they were were at the march, claiming the moral high ground and claiming to be the guardians of press freedom.

Here’s an overview of some of the leaders present at the march and what they did in relation to restricting press freedom in their own countries, courtesy of Daniel Wickham, who made this list and published it on his Twitter feed:

Politicians like the ones mentioned above, but also the likes of May (UK Home Secretary), Opstelten (the Netherlands’ Justice Minister) and many others are jumping on the bandwagon again to implement new oppressive laws limiting freedom of expression and the civil and human rights of their peoples. With leaders like these, who needs terrorists? Our leaders will happily implement legislation that will severely curtail our freedoms and civil liberties instead of handling the aftermath of tragic events like these as grown-ups. It would be better if they viewed participating in the march as a starting point to start improving the situation in the areas of freedom of expression and freedom of the press at home.

Politicians are using the tragic events in Paris as a way to demand more surveillance powers for the intelligence community in a brazen attempt to curtail our civil liberties in a similar way to what happened after the 9/11 attacks.

All the familiar rhetoric is used again, how it’s a “terrible reminder of the intentions of those who wish us harm,” how the threat level in Britain worsened and Islamic extremist groups in Syria and Iraq are trying to attack the UK, how the intelligence community needs more money to gather intelligence on these people, how our travel movements must be severely restricted and logged, the need for increased security at border checks, a European PNR (Passenger Name Record) (which, incidentally would mean the end of Schengen, one of the core founding principles on which the EU was founded — freedom of movement). The list goes on and on.

A trend can be seen here. UK Home Secretary Theresa May wants to ban extremist speech, and ban people deemed extremist from publicly speaking at universities and other venues. The problem with that is that the definition of extremist is very vague, and certainly up for debate. Is vehemently disagreeing with the government’s current course in a non-violent way extremist? I fear that May thinks that would fit the definition. This would severely curtail freedom of speech both on the internet and in real life, since there are many people who disagree with government policies, and are able to put forward their arguments in a constructive manner.

Before we can even begin to implement laws like these we need to discuss what extremism means, what vague concepts like “national security” mean. There are no clear definitions for these terms at this point, while the legislation that is being put into place since 9/11 is using these vague notions intentionally, giving the security apparatus way too much leeway to abuse their powers as they see fit.

I read that Cameron wants to ban all encrypted communications, since these cannot be decrypted by the intelligence community. This would mean that banks, corporations and individuals would leave themselves vulnerable to all kinds of security vulnerabilities, including identity theft among others, vulnerabilities which cryptographic technologies are meant to solve.

Cryptography is the practice of techniques for secure communication in the presence of adversaries. Without cryptography, you couldn’t communicate securely with your bank, or with companies that handle your data. You also couldn’t communicate securely with various government agencies, or health care institutions, etcetera. All these institutions and corporations handle sensitive information about your life that you wouldn’t want unauthorised people to have access to. This discussion about banning cryptography strongly reminds me of the Crypto Wars of the 1990s.

Making technologies like these illegal only serves to hurt the security of law-abiding citizens. Criminals, like the people who committed the attacks at Charlie Hebdo, wouldn’t be deterred by it. They are already breaking the law anyway, so why worry? But for people who want to comply with the law, this is a serious barrier, and restricting cryptography only hurts our societies’ security.

Norwegians’ Response to Breivik

Instead of panicking, which is what these politicians are doing right now, we should instead treat this situation with much more sanity. Look for instance to how the Norwegians have handled the massacre of 77 people in Oslo and on the Norwegian island of Utøya by Anders Behring Breivik on July 22nd, 2011.

Breivik attacked the Norwegian government district in Oslo, and then subsequently went to Utøya, where a large Labour Party gathering was taking place. He murdered 77 people in total.

The response by the Norwegians was however, very different from what you would expect had the attack taken place in the UK, the US or The Netherlands, for instance. In these countries, the reaction would be the way it is now, with the government ever limiting civil liberties in an effort to build the surveillance state, taking away our liberties in a fit of fear. The Norwegians however, urged that Norway continued its tradition of openness and tolerance. Memorial services were held, the victims were mourned, and live went on. Breivik got a fair trial and is now serving his time in prison. This is the way to deal with crises like this.

Is Mass Surveillance Effective?

The problem with more surveillance legislation is the fact that it isn’t even certain that it would work. The effectiveness of the current (already quite oppressive) surveillance legislation has never been put to the test. Never was a research published that definitively said that, yes, storing all our communications in dragnet surveillance has stopped this many terrorist attacks and is a valuable contribution to society.

In fact, even the White House has released a review of the National Security Agency’s spy programmes in December 2013, months after the first revelations by Edward Snowden, and this report offered 46 recommendations for reform. The conclusion of the report was predictable, namely that even though the surveillance programmes have gone too far, that they should stay in place. But this report has undermined the NSA’s claims that the collection of meta-data and mass surveillance on billions of people is a necessary tool to combat terrorism.

The report says on page 104, and I quote:

“Our review suggests that the information contributed to terrorist investigations by the use of Section 215 telephony meta-data was not essential to preventing attacks and could readily have been obtained in a timely manner using conventional Section 215 orders.”

And shortly after Edward Snowden’s revelations about the existence of some of these programmes were published, former director of the NSA Keith Alexander testified to the Senate in defence of his agency’s surveillance programmes. He claimed that dozens of terrorist attacks were stopped because of the mass surveillance, both at home and abroad. This claim was also made by President Obama, who said that it was “over 50.” Often, 54 is the exact number quoted. Alexander’s claim was challenged by Senators Ron Wyden (D-OR) and Mark Udall (D-CO), who said that they “had not seen any evidence showing that the NSA’s dragnet collection of Americans’ phone records has produced any valuable intelligence.” The claim that the warrant-less global dragnet surveillance has stopped anywhere near that number of terrorist attacks is questionable to say the least, and much more likely entirely false.

More oppressive dragnet surveillance measures aren’t helping with making the intelligence community any more efficient at their job. In fact, the more intelligence gets scooped up in these dragnet surveillance programmes, the less likely it becomes that a terror plot is discovered before it occurs, so that these may be stopped in time. More data needs to be analysed, and there’s only so much automatic algorithms can do when tasked with filtering out the non-important stuff. In the end, the intel needs to be assessed by analysts in order to determine their value and if necessary act upon it. There is also the problem with false positives, as people get automatically flagged because their behaviour fits certain patterns programmed into the filtering software. This may lead to all sorts of consequences for the people involved, despite the fact that they have broken no laws.

Politicians can be a far greater danger to society than a bunch of Islamic terrorists. Because unlike the terrorists, politicians have the power to enact and change legislation, both for better and for worse. When we are being governed by fear, the terrorists have already won.

The objective of terrorism is not the act itself. It is to try and change society by violent means. If we allow them to change it, by implementing ever more oppressive mass surveillance legislation (in violation of Article 8 of the European Convention on Human Rights (ECHR)), or legislation that restricts the principles of freedom of the press and freedom of speech, enshrined in Article 10 of the ECHR, freedom of assembly and association enshrined in Article 11, or of freedom of movement which is one of the basic tenets on which the European Union was founded, the terrorists have already won.